On the Complexity of Branching-Time Logics* 



Volker Weber 

Fakultat fiir Informatik, Technische Universitat Dortmund 
44221 Dortmund, Germany 
volker . weberOtu-dortmund . de. 



Abstract. We classify the complexity of the satisfiability problem for 
extensions of CTL and UB. The extensions we consider are Boolean com- 
binations of path formulas, fairness properties, past modalities, and for- 
gettable past. Our main result shows that satisfiability for CTL with all 
these extensions is still in 2EXPTIME, which strongly contrasts with 
the nonelementary complexity of CTL* with forgettable past. We give 
a complete classification of combinations of these extensions, yielding a 
dichotomy between extensions with 2EXPTIME-complete and those 
with EXPTIME-complete complexity. In particular, we show that sat- 
isfiability for the extension of UB with forgettable past is complete for 
2EXPTIME, contradicting a claim for a stronger logic in the literature. 
The upper bounds are established with the help of a new kind of pebble 
automata. 

Keywords, branching-time logic, CTL, complexity of satisfiability, peb- 
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1 Introduction 

Branching-time logics like CTL are an important framework for the specification 
and verification of concurrent and reactive systems )6.13 1 . . Their history reaches 
almost thirty years back, when Lamport discussed the differences between linear- 
time and branching-time semantics of temporal logics in 1980 [T^. The first 
branching-time logic, called UB, was proposed the year after by Ben-Ari, Pnueli, 
and Manna, introducing the concept of existential and universal path quantifi- 
cation f2]. By extending UB with the "until" modality, Clarke and Emerson 
obtained the computational tree logic CTL 5J, the up to date predominant 
branching-time logic. 

Since then, many extensions of these logics have been considered. Some of 
these extensions aimed at more expressive power, others were introduced with 
the intention to make specification easier. In this paper, we consider four of these 
extensions that have been discussed at length in the literature, namely Boolean 
combinations of path formulas, fairness, past modalities, and forgettable past. 

Combining these extensions, we obtain a wealth of branching-time logics. 
Many of the logics have been studied for their expressive power, the complexity of 
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their satisfiability and model checking problems, and for optimal model checking 
algorithms. Nevertheless, for most of these logics the picture is still incomplete. 

In this work, we complete the picture for the complexity of the satisfiability 
problem. Concretely, we completely classify the complexity of satisfiability for 
all branching-time logics obtained from UB and CTL by any combination of the 
extensions listed above. 

Let us take a look at those parts of the picture that are already there. The 
classical results in the area are the proofs of EXPTIME-completeness for sat- 
isfiability of UB [2] and CTL [S] . In the following paragraphs, we review known 
results for the extensions we consider. 

Boolean Combinations of Path Formulas. Both, UB and CTL, require that every 
temporal operator is immediately preceded by a path quantifier. Emerson and 
Halpern were the first to study a logic that also allows Boolean combinations of 
temporal operators, i.e., of path formulas, as in E(Fp A -^Fq) fSJ. They called 
these logics UB^ and CTL^ and obtained the following hierarchy on their ex- 
pressive power: UB -< UB+ -< CTL = CTL+. Concerning complexit£], CTL+ 
has been shown to be complete for 2EXPTIME by Johannsen and Lange [T5] . 
The precise complexity of UB"*" is unknown. 

Fairness. CTL cannot express fairness properties, e.g., that there exists a path 
on which a proposition p holds infinitely often. Therefore, Emerson et al. in- 
troduced ECTL by extending CTL with a new temporal operator F°°, such 
that Er°°p expresses the property above. The logic combining ECTL with the 
extension discussed before, ECTL"'", roughly corresponds to the logic CTF of [7]. 

The logic CTL* of Emerson and Halpern extends ECTL"*" with nesting of 
temporal operators as in EG{p V Xp) [9]. Satisfiability for CTL*, and therefore 
for ECTL+, is 2EXPTIME-complete pHfTl] . 

Past Modalities. While being common in linguistics and philosophy, past modal- 
ities are mostly viewed only as means to make specification more intuitive in 
computer science. For a discussion of this issue and of the possible different se- 
mantics of past modalities, we refer to |16I21| . We adopt the view of a linear, 
finite, and cumulative past, which is reflected in our deflnition of semantics of 
branching-time logics based on computation trees. 

We use PCTL to refer to the extension of CTL with the past counterparts 
of the CTL temporal operators, and likewise for other logics. While PCTL is 
strictly more expressive than CTL [IB], this is not the case for PCTL* and 
CTL* |14I20! . In both cases, past modalities do not increase the complexity: 
PCTL is EXPTIME-complete ^ and PCTL* has recently been shown to be 
2EXPTIME-complete by Bozzelh [3]. 

Forgettable Past. Once past modalities are available, restricting their scope is a 
natural way to facilitate their use in specification. To this end, Laroussinie and 
Schnoebelen introduced a new operator N for "from now on" to forget about 
the past [50]. I.e., past modalities in the scope of a N-operator do not reach 
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further back than the point where the N-operator was apphed. For results on 
the expressive power of this operator, see pp] , 

Satisfiabihty for the extension of PCTL with the N-operator, PCTL+N, 
was claimed to be in EXPTIME by Laroussinie and Schnoebelen [5T] . In con- 
trast to this, a nonelementary lower bound for PCTL*+N was shown in [??] ■ 
Nevertheless, the latter logic is known to be no more expressive than CTL* PO] , 

The logic PECTL^+N, i.e., CTL with all the extensions considered here, also 
has the same expressive power as CTL* [20 . But the proof uses the separation 
result of Gabbay for liner temporal logic [12] , causing a nonelementary blow-up. 
No elementary upper bound for the complexity of satisfiability for PECTL^-|-N 
is known so far. 

In this paper, we completely classify the complexity of satisfiability for all 
branching-time logics obtained from UB and CTL by combination of the exten- 
sions discussed above. In detail, we obtain the following results: 

— We show that satisfiability for all of these logics that allow Boolean com- 
binations of path formulas is 2EXPTIME-complete, improving the known 
lower bound for CTL+ to UB+. 

— Likewise, we show that all logics with forgettable past are 2EXPTIME- 
hard, even if only the past modality P for "somewhere in the past" is allowed. 
This contradicts the claim of Laroussinie and Schnoebelen of EXPTIME 
membership for PCTL-I-N in [21]. 

— We show that all logics that include neither Boolean combinations of path 
formulas nor forgettable past are in EXPTIME. 

— Finally, we show a 2EXPTIME upper bound for PECTL++N, i.e., for 
CTL with all the considered extensions. This strongly contrasts but does 
not contradict the nonelementary complexity of PCTL*+N, although both 
logics are equally expressive. 

The upper bounds are obtained by translation into alternating tree automata 
[25] . To prove the upper bound for PECTL^+N, we introduce the model of 
k-weak-pebble hesitant alternating tree automata and show that their nonempti- 
ness problem is in 2EXPTIME. These automata differ from the one-pebble 
alternating Biichi tree automata of [27] in two respects. First, they use a differ- 
ent acceptance condition to handle fairness, as proposed by Kupferman, Vardi, 
and Wolper for an automata model for CTL* model checking [18,. Second, the 
model allows more than one pebble, but only of a weak kind. These pebbles are 
used to handle forgettable past and Boolean combinations of path formulas. 

Note 

Tragically, Volker Weber died in the night of April 6-7, 2009, right after sub- 
mitting this paper to CSL 2009. An obituary is printed in the proceedings. 
Most of the remarks by the reviewers were incorporated by his advisor, Thomas 
Schwentick. However, major changes were avoided (and had not been requested 
by the reviewers). The help of the reviewers is gratefully acknowledged. 



2 Preliminaries 



This section contains the definitions of branching-time logics and tree automata. 
Both are with respect to infinite trees, which we are going to define first. 

A tree is a set T C N* such that ii x ■ c € T with a; e N* and c G N, then 
X € T and x ■ c' € T ioi all < c' < c. The empty string s is the root of T 
and for all c e N, X • c G T is called a child of x. The parent of a node x is 
sometimes denoted by x ■ —1. We use := {y € W \ x ■ y € T} to denote the 
subtree rooted at the node x €T. The branching degree deg(()a;) is the number 
of children of a node x. Given a set D C N, a D-tree is a computation tree such 
that deg(()a;) G D for all nodes x. 

A path TT in T is a prefix-closed minimal set n CT, such that for every x € tt, 
either x has no child or there is a unique c G N with x-c & n. We use "<" ( "<" ) 
to denote the (strict) ancestor-relation on T. 

A labeled tree {T, V) over a finite alphabet S consists of a tree T and a la- 
beling function V : T E, assigning a symbol from E to every node of T. We 
arc mainly interested in the case where S = 2^^°^ for some set PROP of propo- 
sitions. Such computation trees result from the unfolding of Kripke structures. 
In the following, we consider only computation trees and refer to them as trees. 
We identify (T, V) with T. 

2.1 Branching-Time Logics 

We shortly define the branching-time logics we are going to study. These defini- 
tions are mainly standard. 

We start by defining the logic incorporating all the extensions discussed in 
the introduction. The state formulas </? and path formulas ip of PECTL"'"-|-N are 
given by the following rules: 



where p G PROP for some set of propositional symbols PROP. PECTL -|-N is 
the set of all state formulas generated by these rules. 

We use the usual abbreviations true, false, ip\/ (fi,(p ^ (fi,ip -i-^ ip, and 



The semantics of PECTL"'' -|-N is defined with respect to a computation tree 
T, a node x G T, and, in case of a path formula, a path tt in T starting at the 
root of T. We omit the rules for propositions and Boolean connectives. 



::= p \ ip A (fi \ I Etjj | 
■ip::=ip\ipAip\^ijj\Xip\ ifVip \ F°°ip \ Yip \ ipSip 



Aip := -lE-iV) 



Fif := trueUt^ 
Pip := trueS<^ 



G(p := -iF-«^ 
Hip := -iP-i(p 



T, x h E?A 
T,x\=Nip 

T,TT,x\=ip 



iff there exists a path tt in T, such that x G tt and T,tt,x \= tp 
iff Tx,e \= If 

for a state formula ip, iS T,x \= cp 



T,Tr,x 1= X(/3 iS T,Tr,x ■ c \=: ip, where c £ D and a: • c £ tt 

T, TT, a; 1= ipi\Jip2 iff there is a node y > x in n, such that T,Tr,y \= ip2 

and for all a; < 2: < y we have T, tt, z ^ (/Si 
T, TT, x 1= F°°(^ iff there are infinitely many nodes y G tt such that T,Tr,y \= if 
T, TT, x 1= iff X 7^ e and T, tt, x ■ — 1 ^ 

T,Tr,x \= ipiSip2 iff there is a node ?/ < x in tt, such that T,n,y \= ip2 
and for all y < z < 2: we have T, tt, z |= ipi 

A formula (/? is called satisfiable if there is a tree T such that T,x \^ ip. 
All other logics we consider are syntactical fragments of PECTL^+N. 

UB"*" ip := p \ (p A (f \ ^ip \ 'Etp 

:= ip \ tp A \ ^tp \ Xip I Fip 
UB+P+N ip := p\ (p A(p \ ^ip \ EX(/3 | EF(/7 | AFip \P(p\N(p 
PECTL tp:=p\ipAip\^tp\ EXp \ E((/?U<y9) | A{LplJip) \ EF°°tp \ Y^p \ ipSip 



2.2 Weak- Pebble Automata 

We introduce alternating tree automata equipped with a weak kind of pebbles. 
We call these pebbles weak as they can only be used to mark a node while the 
automaton inspects the subtree belo^^i. In particular, a weak-pebble automaton 
can only see the last pebble it dropped. 

For a given set AT, we use B'^{X) to denote the set of positive Boolean for- 
mulas over X, i.e., formulas built from true, false and the elements of X by 
A and V. A subset Y C X satisfies a boolean formula a € B~^{X) if and only if 
assigning true to the elements in Y and false to the elements in A \ F makes 
a true. 

Definition 2.1. A k- weak- pebble alternating tree automaton (/c-WPAA) is a 
tuple A = (Q, Z", £), , (5, F), such that Q is a finite set of states, S is a. finite 
alphabet, D a finite set of arities, € Q is the initial state, F is an acceptance 
condition, and (5 is a transition function 

5 -.Q y. S X D xM ^ ({drop,lift} x Q) U U {-1, 0, root}) x Q) 

such that (5((7, (T, d, false) ^ (lift,p), no Boolean combination 5{q,a,d,b) con- 
tains any {d! ,p) with d! £ D and d' > d, and no Boolean combination S{q, a, d, true) 
contains any (— l.p). 

In the following definition of the semantics of a fc-WPAA, we will use tuples 
y = {yi,...,yk) & (D* U{_L})'^, called pebble placements, to denote the positions 
of the pebbles, where "±" means that the pebble is not placed. As fc-WPAA will 
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be restricted to use their pebbles in a stack-wise fashion, pebble 1 being the first 
pebble to be placed, there will always be an i G [f , fc], such that yj ^ _L for all 
j < i and ijj = _L for all j > i. I.e., i is the maximal index of a placed pebble 
and we will refer to it by mpp(y). Note that mpp(j/) = if and only if no pebble 
is placed and that ympp{y) is the position of the last placed pebble otherwise. 

Definition 2.2. A configuration {q, x,y) eQxD* x {D* U {-L})'' of a fc-WPAA 
A = {Q, E, D,q'^ ,6, F) consists of a state, the current position in the tree, and 
the positions of the pebbles. 

A run r of j4 on a Z'-labeled D-tree (T, V) is a N-tree (T', V'), whose nodes are 
labeled by configurations of A and that is compatible with the transition func- 
tion. More precisely, the root of T' must be labeled by {q°, e, y) with mpp(y) = 0, 
and for every node v €T' labeled by {q, x, y) the following conditions depending 
on 5 hold, where d :~ deg(a;) and h = true if and only if y-mp-piy) — 

d{q,V{x),d,b) = (drop,p): If mpp(y) < k, then v has a child labeled with 
{q, X, y'), where y'^pp,^y)+i = x and y'j = yj for all j ^ mpp(i/) -f 1. Otherwise, 
i.e., if all pebbles are already placed, the transition cannot be applied. 

S{q, V{x), d, b) = (lift,p): By DefinitionO h — true and therefore j/mpp(y) — x. 
Then v has a child labeled with (q, x, y'), where y'„^pp(^y) = -L and y'j = yj for 
ah j ^ mpp(j/). 

y{x): d,b) = a for a boolean combination a G i3+((I?U {— 1, 0, root}) x Q): 
There has to be a set Y C [D L) {—1,0, root}) x Q, such that Y satisfies 
a, and, for every (c,p) G Y, there is a child w • c of w in T" such that v ■ c 
is labeled by (p, x ■ c,y), where x ■ and x ■ root denote the node x itself. 
Additionally, we require that Y does not contain a tuple {—l,q) if x — e and 
that Y contains a tuple (root, q) only if x = e. 

We call a run r accepting if every infinite path of r satisfies the acceptance 
condition and every finite path ends in a configuration where a transition to the 
Boolean combination true applies. A labeled tree (T, V) is accepted by A if and 
only if there is an accepting run of A on (T, V) . The language of A is the set of 
trees accepted by A and denoted L{A). 

Definition 2.3. A symmetric k-weak-pebble alternating tree automaton is a tu- 
ple A = {Q, Sjq'^ , S, F), such that Q is a finite set of states, S is a finite alphabet, 
£ Q is the initial state, F is an acceptance condition, and 

d:QxSxM^ ({drop,lift} x Q) U 6+(({n, 0, -1, 0, root}) x Q) 

is a transition function such that S{q, a, faJ.se) =/= (lift,p) and (5(g, cr, true) does 
not contain any (— l,p). 

The semantics of a symmetric /c-WPAA are defined as for (nonsymmetric) 
/c-WPAA, except for the last case, S{q, V{x), d, b) = a, where we require that for 
every tuple (0,p) G Y there is child of v in T' labeled by (p, x ■ c) for some child 
a; • c of X in T, and for every tuple (n,p) G Y and every child a; • c of x in T, 
there is child of v in T' labeled by (p, x • c). The conditions on tuples (— l,p), 
(0,p), and (root,p) remain unchanged. 



So far, we have not specified the acceptance conditions for our automata. For 
our purposes, hesitant alternating tree automata as introduced by Kupferman, 
Vardi, and Wolper are a good choice [TB]. They allow for an easy translation 
from CTL* [TH] and have proved useful in studies of CTL* with past [17 3 . 

A k-weak-pebble hesitant alternating tree automaton (fc-WPHAA for short) 
A = (Q, r, D, g", S, F) is a /c-WPAA with F ^ (G, B), G, B C Q, that satisfies 
the following conditions: 

— There exists a partition of Q into disjoint sets Qi, . . . , Qm and every set Qi 
is classified as either existential, universal, or transient. 

— There exists a partial order < between the sets Qi, such that every transition 
from a state in Qi leads to states contained either in the same set Qi or in 
a set Qj with Qj < Qi. 

— li q d Qi for a transient set Qi, then d{q, a, d, b) contains no state from Qi. 

— If Qi is an existential set, q G Qi and d{q, a, d, b) = a, then a contains only 
disjunctively related tuples with states from Qi. 

— If Qi is a universal set, q G Qi and S{q, a, d, b) = a, then a contains only 
conjunctively related tuples with states from Qi. 

Every infinite path tt in a run of a fc-WPHAA gets trapped in an existential 
or a universal set Qi. The acceptance condition (G, B) is satisfied by tt, if either 
Qi is existential and m/(7r) fl G 7^ 0, or Qi is universal and m/(7r) n B = 0, 
where m/(7r) denotes the set of states that occur infinitely often on tt. 

We also consider symmetric /c-WPHAA. Here, we additionally require that 
for every existential (resp. universal) set Qi and every state g G Qi, 6{q,a,d,b) 
does not contain a tuple {0,p) (resp. {(),p)) with p e Qi. 

The size of an automaton is defined as the sum of the sizes of its components. 
Note that this includes the size of D in the case of nonsymmetric automata. 

If we remove the pebbles from our automata, we obtain ( symmetric ) two-way 
hesitant alternating tree automata. Such an automaton has a transitions function 
of the form 5 : Qx E ^ B'^{{{U\, (), —1, 0, root}) x Q) in the symmetric case and 
is obtained from the above definitions in a straightforward way. 

Symmetric two-way HAA have been used by Bozzelli to prove membership in 
2EXPTIME for CTL* with past [3]. Opposed to the definition given there, we 
do not enforce that infinite paths in a run move only downward in the tree from 
a certain point on. Therefore, our results on symmetric two-way HAA are not 
implied by [3]. Nevertheless, the restricted version of [3j would suffice to prove 
our results on the complexity of branching-time logics. 

3 Complexity of Satisfiability 

We give a complete classification of the complexity of the satisfiability problem 
for all branching-time logics obtained from UB and CTL by any combination of 
the extensions discussed above. As our main theorem, we proof 2EXPTIME- 
completeness for all logics including forgettable past or Boolean combinations of 
path formulas. 



Theorem 3.1. The satisfiability problems for all branching-time logics that are 
a syntactical fragment of PECTL~''+N and that syntactically contain UB^ or 
UB+P+N are complete for 2EXPTIME. 

The upper bound is proved in Section 13.21 with the help of weak-pebble al- 
ternating tree automata. There, we also show that satisfiability for all remaining 
logics is in EXPTIME. 

The lower bounds on UB+P+N and UB^ are proved next. 

3.1 Lower Bounds 

We obtain both results by reduction from the 2"-corridor tiling game, which is 
based on the 2^-corridor tiling problem. An instance / = {T, H,V, F, L,n) of 
the latter problem consists of a finite set T of tile types, horizontal and vertical 
constraints H,V C T xT, constraints F, L C T on the first and the last row, and 
a number n given in unary. The task is to decide, whether T tiles the 2" x m- 
corridor for some number m of rows, respecting the constraints. We assume 
w.l.o.g. that there is always a possible next move for both players. 

The game version of this problem corresponds to alternating Turing Ma- 
chines: The 2"^ -corridor tiling game is played by two players E and A on an 
instance / of the 2"-corridor tiling problem. The players alternately place tiles 
row by row starting with player E and following the constraints, as the opponent 
wins otherwise. E wins the game if a row consisting of tiles from L is reached. 
To decide whether E has a winning strategy in such a game is complete for 
AEXPSPACE [4 , which is the same as 2EXPTIME. 

Proposition 3.2. Satisfiability for UB+P+N is 2EXPTIME-/iard. 

Proof. Given an instance / = {T, H,V, F, L,n) of the 2^ -corridor tiling game, 
we build a UB+P+N-formulas tpi that is satisfiable if and only if player E has 
a winning strategy on /. 

We encode such a winning strategy as a finite T-labeled tree as described 
in [27|: The levels of the tree alternately correspond to moves of E and A, and 
every node representing a move of E has one child for every next move of A. As 
each player always has a possible move, the only way to win for E is to reach a 
line with tiles from L. Therefore, every path in the encoding has to represent a 
tiling respecting all constraints. 

The formula ipi — ips ^ fn A (ft consists of three parts: The formula ips 
describes the structure of the encoding and ipn introduces a numbering of the 
nodes representing one line of the tiling using the propositions go,. . . ,qn-i as 
shown in Figure [T] Both are UB-formulas and can be taken from [57] . 

The formula (ft is used to describe the actual tiling. It states that every node 
corresponding to a position in the tiling is labeled with exactly one proposition 
Pt, representing the tile t & T, and that all constraints are respected. We use 
as an abbreviation for A A -'P(g# A P(-'g# A Pq^)), expressing that the 
current node represents a position in the tiling and that there is at most one row 



g# 2" - 1 a# g# o 2" - 1 g# <? i 

row 1 row m 

Fig. 1. A path in the encoding of a winning strategy for the 2"-corridor tihng 
game with m rows [2 7) . 

above. This, together with the N-operator, will allow us to check the vertical 
constraints. 

ipt = A.G{[-^q ^ ^q^] ^ [\J {pt ^ /\ ^pt') AOh Aev A0a]) AOa' Adp AOl 

n-1 

9h = ^ f\ q^ ^ /\{Pt AX y pt,) 
i=o teT (t,t')eH 

n-l 

Ov = NAXAG([z9 h f\{q, ^ PHg,)] ^ A (^'^ ^ V ^^Pt')) 

i=o teT (t,t')ev 

We omit the formulas corresponding to the constraints F and L. 

The subformulas 9a and 9a' enforce that every possible move of A is repre- 
sented, where 9a' treats the special case of the first row of the tiling. 

n-l 

9A = qQ^ NAXAG([i? A -go A /\ {q, ^ PHg,)] 

i=l 

^ f\{Pt^ A [EXpt^VPH V pt„])) 
teT {t,t')eH (t",t')^v 

9 A' = AG(hgo A -P(g# A P-g#)] ^ A ^ A EXp*,)) 

teT (t,t'eH) 

Note that a model for (pi might encode several possible moves for E and 
moves of E and A might be represented more than once. But by removing 
duplicates and restricting to one arbitrary move for E at every position where 
E has to move, we obtain a winning strategy for E on I from a model for ipj. 
For the reverse direction, a winning strategy for E can be directly turned into a 
model for (fj. □ 

Concerning Boolean combinations of path formulas, we can refine the proof 
of 2EXPTIME-hardness for CTL+ by Johannsen and Lange [15] to show the 
following theorem. 

Proposition 3.3. Satisfiability for UB+ is 2EXPTIME-/iard. 

The proof is by reduction from the 2"-corridor tiling game. The main idea 
is to use a numbering of the rows modulo three to able to express that a path 
reaches up to the next row, but not beyond, without the U-operator. The details 
can be found in the appendix. 



3.2 Upper Bound 



We prove the upper bound of Theorem 13. II in two steps. Fhst, we show how to 
translate a PECTL-formula into a two-way hesitant alternating tree automaton, 
thereby giving an exponential time algorithm for PECTL-satisfiability. After- 
wards, we extend this construction to PECTL^+N and weak-pebble automata. 

Theorem 3.4. The satisfiability problem for PECTL is EXPTIME-comp/ete. 

Proof. The lower bound follows from the EXPTIME-hardness of CTL. To 
prove the upper bound, we extend the construction from ^25J that translates 
a given CTL-formulas into an alternating Biichi tree automaton. 

Let (y3 be a PECTL-formula and PROP;^ the set of proposition symbols occur- 
ring in Lp. We construct a symmetric two-way hesitant alternating tree automata 
2ty = (Q,Z',gO,(5, (G,B)) with S = 2^'^°'''', such that ip holds at the root of 
some Z'-labeled tree (T, V) if and only if 2l(^ accepts this tree. The result follows 
since nonemptiness for these automata is in EXPTIME (Theorem 14.61) . 

Let "0 denote the dual of a formula ip. The dual of a formula is obtained by 
switching A and V, and by negating all other maximal subformulas, identifying 
-i^V and ^. E.g., the dual of p V {-^q A EGp) is -^p A{qy -^EGp). 

The set Q of states of 21,^ is based on the Fisher-Ladner-closure of (p. It 
contains (p, (EXEF°°-0) A ip for every subformula EF°°-0 of (p, and is closed 
under subformulas and negation. The initial state is ip. The set G contains all 
formulas of the form -.E(xUV'), -'A(xUV^), and (EXEF°°V) A ip, the set B all 
formulas of the form -iEXEF°°-0- The transition function is defined as follows, 

(5(true, cr) = true (5(p, cr) = true ifpGcr 

(5(f alse, cr) = false cr) = false if p ^ cr 

5(VAe,fT) = (0,V) A(0,e) (5(-0,a) =^(0,a,6) 

S{EX^, a) = (0, i') SiY^, a) = (-1, V) 

5(EF°° V, cr) = (0, EF°°7/;) V (0, (EXEF°° V) A ^j) 
5(E(xUV'), a) = (0, ^) V ((0, x) A (0, E(xU0)) 
SiA{xlJ^j),cT) = (0, V) V ((0, x) A (□, A(xUV')) 
SixS^P, a) = (0, V) V ((0, x) A (-1, xS^-)) 

where the notion of dual is extended to the transition function 6 in the obvious 
way, e.g., <5(E(xU7A), a) = (0,^) A ((0,x) V (□, -E(xW)). 

To show that is a hesitant automaton, we have to define the partition of 
Q. The formulas (EXEF°°V) A V, EXEF^^i/., and EF^^i/- form an existential 
set. Likewise, (-.EXEF°°'0) V -.-0, -'EXEF°°-0, and -.EF°°^ form a universal 
set. Every other formula -0 € Q constitutes a singleton set {-0}. These sets are all 
transient, except for the sets {E(xU0)} and {-iA(xU0)}, which are existential, 
and the sets {-iE(xUV')} and {A(xU^)}, which are universal. The partial order 
on these sets is induced by the subformula relation. □ 

We extend this construction to prove our result on PECTL+-hN. To this end, 
we have to find a way to deal with the N-operator and Boolean combinations of 
path formulas. As we will see, pebbles can be used to handle both. 



To obtain the desired result, it is importan10 

that the number of pebbles an automaton uses does not depend on the for- 
mula from which it is constructed. But if we translate a PECTL++N-formula 
into an equivalent pebble automaton along the lines of the above construction, 
the number of pebbles depends on the nesting depth of N-operators and Boolean 
combinations of path formulas. To avoid this, we show that we can restrict to 
formulas with limited nesting. But there is a price we have to pay: We will only 
obtain an equisatisfiable formula/automaton but not an equivalent one as in the 
proof of Theorem 13.41 Nevertheless, this will suffice to obtain our complexity 
result. 

We say that a PECTL^+N- formula is in normal form, if it does not contain 
any nesting of N-operators, all path quantifiers that are followed by a Boolean 
combination of path formulas are not nested and occur only in the scope of an N- 
operator, and finally all Boolean combinations of path formulas are in negation 
normal form. 

Lemma 3.5. Every PFjCTU^ +1^ -formula ip can be efficiently transformed into 
a PFjCTIj^ -formula in normal form with 1-01 = 0(|(y9|), such that -0 is 
satisfiable if and only if (p is satisfiable. 

We show that any PECTL^-formula in normal form can be translated into 
a /c-WPHAA with only two pebbles. This completes the proof of Theorem 13.11 
as nonemptincss for these automata is in 2EXPTIME by Theorem 14. II 

Lemma 3.6. Given a PECTL^+N-/ormu/a ip in normal form, we can con- 
struct a symmetric 2-WPHAA 21;^ of size 0{\(p\), such that L(2t,p) ^ 9 if and 
only if ip is satisfiable. 

Proof. We extend the proof of Theorem 13.41 showing how to use pebbles to 
handle the additional features of PECTL^-|-N. Since ip is given in normal form, 
two pebbles will suffice. 

The handling of the N-operator is straightforward: We only have to drop 
the pebble and never lift it again. As fc-WPHAA are not allowed to move above 
a pebble in a tree, the dropping of the pebble corresponds accurately to the 
meaning of the N-operator. 

The handling of Boolean combinations of path formulas is more involved and 
mainly a matter of synchronization. An automaton corresponding to the formula 
E{F°°p A F°°q) cannot simply split into two automata corresponding to F°°p 
and F°°q, respectively, as these two automata need to run on the same path in 
the tree. Le., they have to be synchronized. 

^ Comment by Thomas Schwentick: this remark might puzzle the reader in the light 
of the results of Section|4l In an earlier version of the paper, the upper bound on the 
branching width in Proposition 14.51 was 2*^'" \ hence the need to bound the number 
k of pebbles. However, shortly before submission time, Volker discovered that this 
upper bound can be improved to 2" C'+i), thus resolving the need to bound the 
number of pebbles. Seemingly, he did not find time to fully adapt (and simplify) the 
paper accordingly. 



We will achieve synchronization using two different techniques. To this end, 
let E^/; be a subformula of such that V-" is a Boolean combination of path 
formulas p\,...,pi and tt a path on which we want to evaluate V- For some of 
the path formulas pi, it is the case that if they hold on tt, then a finite prefix 
sufiices to witness this, e.g., if pi = pVq- For other path formulas we have to 
consider the whole, probably infinite path tt. What thereof is the case depends 
on the temporal operator and whether it appears negated or not. 

To evaluate Etp at a node u, will first guess a finite prefix of a path. The 
intention is that this prefix can serve as a witness for all path formulas p, that 
allow for a finite witness, either to show that they hold or that they do not hold 
on this path. 

Those parts of ijj that refer to the finite prefix are now checked by 21,^ while 
moving up the tree again. E.g., if pi = Fp, then the subautomaton 2lp. corre- 
sponding to pi will run upwards looking for a node v labeled by p. As there is 
only one path going upward in a tree, we get synchronization for free. But we 
have to make sure that v is a descendant of u. Therefore, the second pebble has 
to be dropped at u before the automaton starts to guess the finite prefix. This 
allows to reject when it reaches the pebble position without having seen a 
state labeled by p. On the other hand, if pi — FPp, it is important that the 
second pebble can be lifted again as the witness might be above u in this case. 

We still have to synchronize those subautomata that correspond to path 

formulas talking about the infinite suffix of the path. But there are only two 
types of conditions left, namely those of the form Gx and those of the form 
F°°x- We can easily see that if a path satisfies a positive Boolean combination 
of such conditions, then every suffix of this path does so as well. This allows us 
to deploy the following technique. 

Roughly speaking, we want to reduce the satisfiability problem for to sat- 
isfiability over a restricted class of models, where the suffixes of witnessing paths 
for Boolean combinations of path formulas are labeled by additional propositions. 
More precisely, for a subformula Etjj of if we introduce a new prepositional sym- 
bol p^ and add to (p the new conjunct AG(-ip^ V EGp^). The automaton we 
are going to construct for this extended formula will, when evaluating Eijj, work 
as follows: It will drop the pebble and guess a prefix of a path on which tp is 
supposed to hold. But this prefix has to end in a node labeled by p.^ . The condi- 
tions on this finite prefix can be checked as described above. For the conditions 
on the suffix, we use the labeling to synchronize the independent subautomata 
corresponding to conditions to be checked. 

Note that we cannot guaranty that there is only one path labeled by pip . But 
we can simply check that the conditions hold on all paths labeled by p^ as there 
is at least one such path. Please also note that this technique cannot be used for 
the conditions on the finite prefix of the path as the labeling is not allowed to 
depend on the node at which is evaluated. □ 



4 Nonemptiness of Weak-Pebble Automata 



The complexity of the nonemptiness problem for weak-pebble alternating tree 
automata is analyzed in this section. 

Theorem 4.1. The nonemptiness problem for (symmetric) k-weak-pebble hesi- 
tant alternating tree automata is complete for 2EXPTIME. 

We prove this theorem for the case of nonsymmetric automata by reduction 
to the nonemptiness problem for Rabin tree automata [22124] . Afterwards, we 
generalize the result to symmetric automata by observing that every symmetric 
fc-WPHAA accepts a tree of bounded branching degree. 

Definition 4.2. A nondeterministic Rabin tree automaton (NRA) 21 is a tuple 
(Q, S. D, (7", S, F), such that Q is a finite set of states, S is a finite alphabet, D a 
finite set of arities, (7° G Q is the initial state, F is a set {(Gi, Bi), . . . , (G™, Bm)} 
with Gi, Bi C Q, and 6 : Q x S x D ^ 2^^ is a transition function, such that 
5{q, a, d) C Q'^ for all q £ Q, cr £ S, and de D. 

We omit the (straightforward) definition of a run. An infinite path tt in a run 
of 2t satisfies the acceptance condition F — {(Gi, Si), ... , (G„i, B,n)} if and only 
if there exists a pair (Gi, Bi) G F such that m/(7r) flGi ^ and m/(7r) nSi — 0. 

A run r on a tree T is accepting iff every infinite path of r satisfies the 
acceptance condition and we have 5{q, V{x)^ 0) — {e} for every finite path ending 
in a state q at a leaf x of T, where e denotes the sequence of states of length 0. 

The last part of the definition is nonstandard and used to avoid the re- 
quirement that every path of T is infinite. Note that 21 rejects a finite path if 
%,F(x),0) =0. 

The nonemptiness problem for these automata is NP-complete in general, 
but it can be solved in polynomial time if the number of tuples in the acceptance 
condition is bounded by a constant [11 . For our purposes, one tuple suffices. 

Proposition 4.3 ([TlJ). The nonemptiness problem for nondeterministic Ra- 
bin tree automata whose acceptance condition contains only one tuple can be 
decided in polynomial time. 

Together with the following translation, this yields Theorem 14. II for the case 
of nonsymmetric fc-WPHAA. 

Lemma 4.4. For every fc-WPHAA 2t = {Q<^, D,q^,S^, {G^,B<^)), there is 
a nondeterministic Rabin tree automaton 03 = (Q^Bi -O, g^, Jib, {(G^, S23)}), 
such that i(2l) = L{^) and the number of states of *B is at most doubly expo- 
nential in \Q%\. Moreover, *B can be constructed from 21 in exponential space. 

Proof. We start with the observation that we can restrict to homogeneous runs of 
21, i.e., to runs where 21 always behaves in the same way when being in the same 
configuration. Formally, we call a run r homogeneous, if whenever two nodes of 
r are labeled by the same configuration, then the set of labels occurring at there 
children is also the same. If 21 has an accepting run, it also has an accepting 



homogeneous run. This follows immediately from the existence of memoryless 
winning strategies for two-player parity games on infinite graphs |10I28| . 

Next, we describe how to construct the automaton S from 21. When running 
on a tree T, 55 will guess a homogeneous run r of 2t and accept if and only if 
the guessed run r is accepting. Of course, 55 cannot guess r at once. Instead, OS 
will guess at every node x ^ T how 21 behaved at x during r. The consistency 
of these guesses has to be checked by ?B. Additionally, 55 has to check whether 
the guessed run is accepting. 

To perform these tasks, 55 needs to maintain some information about the 
guessed run r of 21. More precisely, the state taken by at a node x € T 
will contain several sets of states of 21 that describe r at x. Additionally, there 
will be some information that will be used to verify that all infinite paths in 
r going through x satisfy the acceptance condition of 21. This information will 
not uniquely determine r, but it will be sufficient to ensure the existence of an 
accepting run. A description of the information 55 stores in its states along with 
a formal definition of S can be found in the appendix. □ 

To transfer this result to the case of symmetric automata, we have to deal 
with the fact that these automata accept trees of arbitrary, even infinite branch- 
ing degree. But we can show that a symmetric /c-WPHAA always accepts a tree 
whose branching degree is at most exponential in the size of the automaton. 

Proposition 4.5. For every symmetric fc-WPHAA 21 with n states: 
If L{A) ^ 0, then 21 accepts a tree whose branching degree is at most 2" 

This can be proved similarly to a corresponding result for symmetric alternating 
one-pebble Biichi automata in [27] . See the appendix for details. 

Now, we can adapt Lemma 14.41 to symmetric fc-WPHAA simply by con- 
sidering every possible branching degree smaller than the bound provided by 
Proposition 14.51 This yields the upper bound of Theorem 14.11 for symmetric 
fc-WPHAA. The matching lower bound follows from the 2EXPTIME-hardness 
of PECTL+-fN via Lemma EH and Proposition [Ml 

Reviewing the proof of Lemma [13 we observe that the resulting NRA *8 is 
only of exponential size if 2t does not use any pebbles, i.e., if 21 is a (symmetric) 
two-way HAA. This yields the following theorem, which has been proved before 
by Bozzelli for a slightly more restricted model [3] . 

Theorem 4.6. The nonemptiness problem for (symmetric) two-way hesitant 
alternating tree automata is complete for EXPTIME. 

5 Conclusions 

In this paper, we considered the branching-time logics UB and CTL and their 
extensions by Boolean combinations of path formulas, fairness, past modalities, 
and forgettable past. While we think that this set of extensions is a reasonable 
choice, there are certainly other extensions or restrictions, such as existential or 
universal fragments, that deserve attention. 



We gave a complete classification of the complexity of the satisfiability prob- 
lem for these logics, obtaining a dichotomy between EXPTIMEl-complete and 
2EXPTIME-complete logics. There are many open questions concerning the 
expressive power of these logics and the complexity of their model checking 
problems that should be addressed in future work. 
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A Comment on the disproved result from |21] 



As we have seen in Theorem 13. 2[ the satisfiabihty problem for UB+P+N is 
2EXPTIME-hard. This contradicts Theorem 4.1 of [H], where membership in 
EXPTIME is claimed for PCTL+N. Therefore, we want to point out where 
we believe the proof of ^2T\ to be wrong. 

A comment on notation: Our logic PCTL+N is called PCTL in [21 and 
CTLjp is used to refer to our PCTL. In the following, we use the notation of 

m- 

We believe that the proof of Lemma 4.3 in [5T] is wrong. This Lemma is used 
to prove Theorem 4.1. 

In this lemma, the extentions of PCTL and CTL/p with outermost existential 
quantification of propositions, called EQPCTL and EQCTL^^, are considered. 
The claim of Lemma 4.3 is that every EQPCTL-formula ip can be transferred 
in linear time into an EQCTLj^-formula ip such that ip =* ip. (=* refers to 
equivalence over acyclic structures, see [3T] for details.) The authors first argue, 
that for every subformula N-^ where contains no N, there is a CTL-formula 
tjj and some new propositions p[, . . . ,p'i^ such that 

=* 3p[ ■ ■ ■ 3p'fe^. (1) 

So far, the proof appears to be correct. 

But next, they claim that they can use another proposition/)^ to obtain the 
following eui valence: 

^[NV^] ^* 3p[ ■ ■ ■ 3p',3p'^{p[p'^] A AG{p'^ ^ ^)) (2) 

To see why Equation ^ is wrong, let us go a step back. We can use Equa- 
tion [T] to substitute N?/' in (p: 

p>m]^* p^[3p'^---3p'^i,] (3) 

Note that the formula on the right of Equation ([3]) is not a EQPCTL-formula as 
the quantifiers appear inside the formula. This seems to be the reason why the 
proposition p'^ is introduced. But this should result in the following equation, 
where the right-hand side is again no EQPCTL-formula. 

^[N^] ^* 3p'^{p,[p'^] A AG{p'^ ^ 3p\ • . . 3p'^^)) (4) 

But the formula on the right-hand side of Equation is clearly not equivalent 
to the one on the right-hand side of Equation ^ . 

To put this more intuitive, note that the new propositions in Equation ([1]) 
are used to mark those states where certain subformulas of ip including past 
operators hold (see lemma 4.3 of [21 ). This information clearly depends on 
where the preceding N-operator was used. E.g., whether Ytrue holds at a state 
clearly depends on whether N was applied to this state before. This dependency 
is reflected in Equation ^ by newly quantifying the propositions p[ at every 
state when establishing the equivalence between and ip. I.e., the quantifiers 
are inside the AG-sub formula. Drawing them out, as done in f21', corresponds 
to ignoring the dependency described above. 



B Proof of Proposition 13.21 



For sake of completeness, we give the omitted formulas. 

ips ^ Qi^A AG(-.((7 A A AF(q# A AXq) A AG{q AGq) A E,X{^q) 

ipn = AG([g# ^ (AX(^g A^q#A /\ -g,) V AXq)]A 

1=0 

n-l 

[(-g A ^ (( A * A AXg#) V (AX(-q A A //))]) 

i=0 

ra-1 

^ = V ( A ^ AX^g^ ) A -g, A AXg.A 

i—0 j<i 

/\i{q, ^ AXg,) A i^q, ^ AX-g,))) 

j>i 

0F = AXAF(g# A H(g# V \/ p*)) 

Ol = AF(g# A -AXg A AG(g# V g V Y pt)) 

C Proof of Proposition 13.31 

Given an instance / — (T, H, V,F,L, n) of the 2^'' -corridor tiling game, we build 
a UB+P+N-formulas ipi that is satisfiable if and only if player E has a winning 
strategy on /. 

We encode the winning strategy as in the proof of Theorem 13. 21 but for two 
extensions. First, as in [15] . every state corresponding to a position in the tiling 
will have a copy-state as child, i.e., a state where the same propositions hold 
except for a new proposition c used to label the copy states. Furthermore, all 
children of copy-states are copy-states carrying the same information. Second, 
we use the symbols ei, 62, 63 to introduce a numbering modulo three of the rows. 

Using the following abbreviations, 

e = ei V 62 V 63 
V'e = (ei ^ Xei) A (62 ^ Xe2) A (63 ^ Xea) 

■01 = Fc A ((61 A Fe2 A -iFea) V (62 A Fes A ^Fei) V (63 A F61 A ^F62)) 

we obtain the formula Lpi, where the purpose of each subformula 9x is the same 
as in the proof Theorem 13.21 

7 

ipi = f\Lp,A AG(6 ^ {Oh A9vA Oa)) A Oa' AOp AOl 
1=1 



(pi = g# A EXtrue A AXei 

(^2 = AG((g# A -ig A -ic A -iCi A -162 A -163) 

V {-^q^ Aq A^cA -iCi A -162 A -163) 

V A^q Ac A ^ei A A -163) 

V (~'(7# A A A ei A A -163) 

V A^q A^c A -^ei A 62 A -163) 

V A -ig A -ic A -lei A -162 A 63)) 

n-1 

<^3 = AG(g# ^ (AXg V AX(e A /\ A AG{q AGq)A 

AG(c^ AGc) 

(^4 = AG(e^ [EX(eV9#)AEXcA V(pt A /\ ^pt.)]) 

«eT t'eT, tjtf 

n-1 

<P5 = AG((e V c) ^ A(Xc ^ [Ve A /\ ^ Xg^) A /\{pt ^ Xpt)])) 

i=Q teT 

n—1 n—1 

ip6 = AG((e A^ /\qi)^ A(Xe ^ [^e A Y (/\ (g^- A X-^qj) A -^qi A Xg^A 

^ Xg,))])) 

n-1 

</97 = AG((e A f\qi)^ A[X(c V g#) A (ei AXAX(c V g V 62)) 

A (62 AXAX(c V g V 63)) A (63 AXAX(c V g V ei))]) 

teT {t,t')eH 

n-1 

^y=A([^iA /\te^F(cAgi))]- AIp*^ V F(cAptO]) 
j=o teT (t,t')ev 

= (go A EF(g# A EX^g)) -> /\ (pt^[ 

(t,t')ev 

n-1 

E(V'iA /\(gi^F(cAgi))AF(cAptO)V 

i=0 

n-1 

A([^iAF(cA-go)A /\((7i^F(cAgi))]^F[cA \/ pt"])]) 

i=l {t",t')(^H 

Oa' = A(-Fg# ^ G((e A -go) ^ A (^^* ^ A (EXpt')))) 

teT (t,t')eH 



0F = A(-Fe2 G(g# V \/ pt)) 

Ol = AG((?# A([Xe A Fg A ((d A ^Fe2) V (e2 A ^Fea) V (es A ^Fei))] 

-.G[q#y qy\/ Pt])) 
teL 

D Missing Details from Section 13.21 

This section contains the missing details from Section 13.21 A formal definition 
of the normal form and the proofs of Lemma 13.51 and Lemma 13.61 

Definition D.l. A PECTL^+N -/ormw/a is in normal form, if it can be gen- 
erated by the following context free grammar. 

5*1 ^ P I S*! A S*! I I EXS'i I E(5iU5i) | A(5iU5i) | 

EF°°5i I Y5i I S-iS^i I N52 
^2 ^ P I ^2 A ^2 I -52 I EX52 I E(52U52) I A(52U52) | 

EF~52 I Y52 I 52S52 I E53 | AS3 
5*3 ^ 5*3 A 5*3 I 5*3 V 5*3 I XSi \ F°°54 | 54US'4 | YS'4 | 54SS'4 | 

-X54 I -F°°54 I -(54U54) I -YS'4 I -(54SS'4) 
£•4 ^ P I 5*4 A 5*4 I -54 I EX54 I E(54U54) | A(54U54) | 

EF°°S'4 I YS'4 I 5'4SS'4 
P^p for all pe PROP 

Please observe that a formula in normal form does not contain any nesting 
of N-operators. Furthermore, path quantifiers that are followed by a Boolean 
combination of path formulas are not nested and such path quantifiers occur 
only in the scope of an N-operator. Moreover, Boolean combinations of path 
formulas are in negation normal form. 

Proof (of Lemma \3.5\) . The proof is by standard renaming techniques. 

Let NV' be a subformula of ip such that ^p contains no further N-operator. 
We introduce a new proposition to mark those states where N-f/j holds. 

Now, we replace N?/; with pNi/i in ^ and add a conjunct AG(pN?/; ^ Nip). The 
resulting formula is satisfiable if and only if ip is satisfiable. Repeating this for 
every subformula of the form Nip results in a formula ip' A without nested 
occurrences of the N-operator. 

After prefixing ip' with a N-operator, every Boolean combination of path for- 
mulas is in the scope of some N-operator. To avoid the nesting of these Boolean 
combinations, we apply the same renaming technique, but inside the subformulas 
of the form N-^. Le., we substitute in and add conjuncts to ip. 

Finally, we use De Morgan's law to obtain a formula in normal form that is 
satisfiable if and only if ip is satisfiable. □ 



Proof f of Lemma \3.6]) . 

We give the detailed construction along the lines described above. 

As tp is given in normal form, it can be generate by the context free grammar 
given in Definition lD.il Assuming that the rules iS'2 — >■ £5*3 and ^2 AS'3 are 
used only if necessary, we call every subformula of tp that is generated from S3 
a path formula and every other subformula a state formula. 

Let ■f/'i , . . . , iprri be the maximal path formulas such that Eijjj is a subformula 
of if and ■(/'m+i, ■ ■ • , i^m+n those where A.ipj is a subformula of ip. Furthermore, 
for every ■0^ with j G [1, m + n] let V'j+m+n denote the dual of ipj. We introduce 
for each path formula ipj with j G [1, 2m + 2n] a new propositional symbol pj. 
For every ipj, we add a conjunct to (p to ensure that these propositions are used 
to label paths. 

ip':^ipAAG{ /\ {^pjVE,Gpj)A /\ (-.pj-VAGp^)) 

je[l,m]u[2m+n+l,2m+2Ti] je[m+l,2m+n] 

Now, we construct a 2-WPHAA Sti^'. The states of this automaton will not 
only consist of subformulas of ip' , but carry some additional information. First, 
2ti^/ will work in eight stages and remember in its state in which stage it is. 
Therefore, will have a state [ip, i] for every state subformula ip of ip and 
every i G [1,8]. When handling a Boolean combination of path formulas ipj, 2ti^' 
will also need to remember j as it has to follow the path labeled by pj . To this 
end, 21^' has states [V', where ip is a path subformula of ip, i G [3,6], and 
j G [l,2m + 2n]. 

The automaton will be in stage 1 until it handles a subformula of the form 
N^, when it will go into stage 2. I.e., 21,^' remembers that it dropped the pebble. 
Stage 3 is entered when the second pebble is dropped to guess the finite prefix of 
a path after a subformula of the form 'Eipj occurred. Afterwards, ipj is evaluated 
in stage 4. The stages 5 and 6 serve for the same purposes, but for subformulas 
of the form Aip. As soon as 2ti^/ proceeds to s state subformula of ip, it enters 
stage 7. Finally, stage 8 is entered when the second pebble is lifted. 

The formulas occurring in the states of 21^' are not only the subformulas of 
ip' and their duals. As in the proof of Theorem 13.41 we need some additional 
formulas. E.g, for every path formula of the form -i(xU'i/;), we will also need the 
path formulas H^ip, G-i-0, and P(-ixA). The actual set of states of 21;^' can be 
inferred from the definition of the transition function below. 

2l;p' has the following transition rules for each a £ S = 2^'^*^''^' and each 
6 G B. For i G {1,2,4,6,7,8}: 



(5([true, i] 


(T, b) 


= true 




(5([f alse, i] 


(J, b) 


= false 




S{[p,i] 


a,b) 


— true 


if p G cr 


5{[p,i] 


a,b) 


— false 


if p ^ cr 


Si[iPAC,i] 


a,b) 


= (0, [V',«])A(0, [ti]) 




Si[iPV^,i] 


a,b) 


= (0, [V',*])v(o, 





For i e {1,2,7,8}: 



S{[-^tp,{\,a,b) = S{[ip,i],a,b) 
<5([EXV;,i],c7,6) = (0,[^,i]) 
(5([EF°°^, i],a, b) = (0, [EF~V, *]) V (0, [(EXEF°°^) A V, i]) 
5([E(xUV'), ^], a, 6) = (0, [ib, i]) V ((0, [x, i]) A (0, [E(xUV), z]) 
S{[A{xViP), i],a, b) = (0, [V', i]) V ((0, [x, t]) A (□, [A(xUV'), i]) 



5{[Ytjj,i],a,tTVLe) = false 
(5([YV,i],(7,false) = (-l,[^,i]) 

(^lixSV;, i], cr, true) = (0, [i/-, i]) 
SiixSiP, i], a, false) = (0, [^j, i]) V ((0, [x, i]) A (-1, [xSV', i])) 



In stage 7, past operators have to be handled differently as we might have to lift 
the second pebble. 



^([YV;, 7],a, true) = (lift, [Yi/', 8]) 
(5([YV',7],cr,false) = (-1,[V^,7]) 
,5([xSV^,7],^,true) = (lift,[xS^,8]) 
6{[xSi^, 7], (7, false) = (0, [^jj, 7]) V ((0, [x, 7]) A (-1, [xSV', 7])) 



In the following rules are used to switch from stage 1 to stage 2, from stage 2 to 
stage 3 or 5, and to guess a finite prefix of a path in stage 4 or 5 and to switch 
to stage 4 or 6, respectively. 



J([N^,1], a, false) = (drop, [V,2]) 
S{[^^j,2],a,b) = {0,[7Pj,3,j]) 
5([-.E'^j, 2], C7, b) = (0, [ipj+m+n, 5,j + m + n]) 



For i e {1,2,8}: 



S{bPj,5,j],a, b) 
'5([V'j>3, b) 
6{[A^„2],a,b) 
S{[^Ai^j,2],a,b) 
'^([V'j,5,i],c7,6) 
'^([^j>5,j],(T, b) 



(0,[V'„3,j]) 

(0,[7/^„4,j])V(0,[V,-,3,i]) 
(0,[^„5,j]) 

(0, [ipj+rn+n, 3, j + TO + Tl]) 

(n,[^,-,5,i]) 

(o,[v,-,6,i])v(n,[v,-,5,i]) 



if Pj ^ cr 
if Pj e cr 



if Pj cr 
if e (7 



To evaluate the Boolean combinations in stage 4 and 6, we use the following 
rules for j £ {4,6}. The additional state q is used to check that the pebble is 
placed at the parent node of the current node. 



^([XV',i,i],(7,false) 


= 


((0,[V,7])A(-l,(z))V(-l,[XV,i,i]) 


S{[^tp,i,j],(r,trne) 


= 


false 




(5([-iX^, i, j], (T, false) 


= 


((0, h^,7])A(-l,9))V(-l,hXV, 




5([-iX'i/;, i, j], (T, true) 


= 


false 




d{q, a, false) 


= 


false 




S{q, a, true) 


= 


true 




(5([xUV',i,i],cr, false) 


= 


(-i,[xW,«,i])v 








((0,[V,7])A(-l,[Hx,i,i])) 




5{[xU'ip, hj] - 0". true) 


= 


(0, [^-,7]) 




(5([H'0, i, j], 0", false) 


= 


(0, [V',7])A(-l,[H^,i,i]) 




(^CiHT/;, j, j],cr,true) 


= 


(0, [^-,7]) 




5([-.(xUV'),?,i],cr, false) 


= 


((0, [H-^,z,j])A(n,[G-^,z,j]))V 








(-l,[P(-XAH^V),i,i]) 




'^(h(xUV'),«,j],o',true) 


= 


(□, [G-V, j]) V ((0, hx, 7]) A (0, hV, 7])) 


5i[Gip,i,j],a, b) 




(0, [^,7])A(n,[GV,i,i]) 


if e 




— 


true 


if ^ 


5([P(-XAH-V),«,j],f^,false) 


= 


(0, hx,7])A(0,[H-^,»,j]) 




5([P(^X A H-.V'), i, j], a, true) 


= 


(0, hx,7])A(0, hV,7]) 




6{[F'^i;,i,j],a,b) 


= 


((0,[F°°v,i,i])A(n,[F-v,^,i]))v 








(0, [(XF°°V)AV,i,i]) 


if pj G 


S{[F^i:,t,j],a,b) 




true 


if ^ 






(0,[F°^VA*,,7])A(n,[F~V,i,i]) 




5(hF°°^,z,j],(7,6) 




(0, [G-V',«,J]) 




^([YV',«,i],cr, false) 




(-l,[YV,i,i]) 




'^([YV',i,i],cr,true) 




(lift,[YV',8]) 




<5([^Yi/',i,j],(T,false) 




(-iJ-YV-,*,:/-]) 




<5(hYV','j, j],cr,true) 




(lift, hY^/;,8]) 




'5([xSV',«,j],cr, false) 




(-1, [xSV^,i,i]) 




<5([xS^,z,j],cr,true) 




(lift,[xSV,8]) 




'^(h(xSV'),«,i],<7, false) 




(-i,h(xsv),i,i]) 




^(h(xSV'),^,i],o-,true) 




(lift,h(xSV),8]) 





The initial state of 21,^/ is [(f' , 1]. The set G contains all states of the form 
hE(xUV'),i], hA(xW),i], and [(EXEF°° V) A V', for all i e {1,2,7,8} and 



the states [Gip,i,j] for i G {4,6} and j G [1,2m + 2n]. The set B contains all 
states of the form [^EXEF°°'i/;, ^] for all i e {1, 2, 7, 8}. 

The partition on Q and the order on the resulting sets is defined analogously 
to Theoreminm In particular, the states [(XF^^ip) AtpjiJ], [XF°° ip , i , j] , and 
[F°°'ip, constitute an existential set for every choice if i and j. 

To prove correctness of our construction, we observe that if' is satisfiable 
if and only if ip is satisfiable. The proof then proceeds by an induction on the 
formula structure, considering only the state subformulas. The only non standard 
argument is the correctness for formulas of the form E-f/'j. But this is easy to 
formalize given the explanation above. □ 

E Proof of Lemma 14.41 

E.l Note on the Existence of Homogeneous Runs 

Claim. Let 2t be a fc-WPHAA and T a tree. 21 has an accepting run on T if and 
only if 2t has an accepting homogeneous run on T. 

This claim can be proved by observing that the configuration graph of 21 can 
be seen as the arena of a two-player game with parity winning condition. Note 
that the acceptance condition of 2t is special kind of parity condition [IS] . The 
existence of memoryless winning strategies in such games |10I28| implies that if 
21 has an accepting run (i.e., a winning strategy), then 21 has also a homogeneous 
accepting run (i.e., a memoryless winning strategy). 

E.2 Construction of *8 

We describe which information is stored in the states of 05 and how it is used 
to check existence of an accepting run of 21. A formal definition of *B is given 
afterwards. 

First, *B needs information about which states are taken by 21 during r at x. 
Even more, *B needs to know which states are taken with respect to the same 
placement of the pebbles. Fortunately, if two pebble placements y and y' with 
mpp(2/) = rnpp(y') give rise to the same set S of states occurring at x, we do 
not have to distinguish these sets. 

The states of *B will be of the form {Xq, . . . , X^, p), where p G M and each 
Xi is a set of tuples {S,uS,dS,rS,uP,dP,auP,adP,rdP,C,aC) G (2'3«)4 x 
(■2Qax<92i)7^ where the sets S are the sets described above and the other compo- 
nents will be explained below. Note that there are at most 2*^^" ^ many different 

tuples, where n = \Q%\. Therefore, there are at most (2^ )*''+^ many different 
states of 05. As we can assume that k < n, the size of 05 is at most doubly 
exponential in n. 

Let X be a node of T and {Xq, . . . ,Xk,p) the state taken by 05 at x. p will 
be true iff x is the root of T. The sets Xi will contain the following information 
about the guessed run r: For every pebble placement y with mpp(y) = i, the set 



Xi will contain a tupleQ {S, uS, dS, rS, uP, dP, auP, adP, rdP, C, aC) as described 
in the following. 

S* := {g 6 Q21 I {<l,x,y) occurs in r} 
uS {q G Q21 I ■ —1, y) occurs in r as child of a node {q' , x, y)} 
dS := {q G Qa | (g, a;, y) occurs in r as child of a node (g', a; • —1, y)} 

The latter two sets are used to check consistency of guesses of ?B. As men- 
tioned above, *8 has to check that the guessed run r is accepting. To this end, 
we distinguish two kinds of infinite paths in r: Those that go down the tree ar- 
bitrary far can be handled by the acceptance condition of *8 as described below. 
But there might be also bounded paths, i.e., paths that contain only nodes up to 
a certain depth. These paths necessarily end up in a loop. 03 has to check that 
these loops contain a state from G or do not contain a state from B, depending 
on whether they consist of existential or universal states. This will be done at 
those nodes x, such that the loop contains a configuration {q,x,y) but no con- 
figuration with a strict descendant of x, except if an additional (compared to 
y) pebble was placed before. To perform these checks, S maintains information 
about the following three kinds of paths in r. 

An upward path is a path in r starting from a configuration (p,x ■ — \,y) and 
ending in a configuration (q,x,y) such that there is no intermediate configura- 
tion {p'x',y) where x < x' , and there is no intermediate configuration {p'x',y') 
with mpp(y') < mpp(y). Note that intermediate configurations {p'x',y') with 
mpp(i;') > mpp(y) and x < x' are allowed. 

uP :— {{p, q) G (Qa)^ I there is an upward path from (p, x ■ —1, y) to (g, x, y)} 

A downward path is a path starting from a configuration (p, x, y) and ending 
in a configuration (g, x • —1,2/), without an intermediate configuration {p'x',y') 
with X ^ x'. In particular, the pebbles that are placed at the beginning of a 
downward path will not be lifted along this downward path as they are placed 
at 2: • —1 or above. 

dP := {{p, g) G (Qa)^ | there is a downward path from (p, x, y) to (g, x ■ —1, y)} 

As the third kind of paths in r, we consider paths that start in a config- 
uration where the last pebble is placed at the current node and that end by 
lifting this pebble. If either mpp(y) = or mpp(y) > 1 and yi ^ x, with 
y = (yi, . . . , yi, ±, . . . , _L), then C = 0. Otherwise, if yi = x, C is the set of all 
tuples (p, g) G (Qa)^ such that there is a path in r starting from (p, x, y) and 
ending at (g, x, (j/i, . . . , j/i-i, ^, . . . , _L)) where mpp(j/') holds for all intermediate 
configurations {p',x',y'). 

Besides information about the existence of paths of the three kinds described 
above, 23 also needs information about whether they contain states from Ga or 

* Note that Xq will always contain exactly one tuple as there is only one pebble 
placement y with mpp[y) — 0. 



-Ba- Let auP be the set of all tuples of states {p,q) G (Qa)^ such that there is 
an upward path in r from (p, x ■ —l,y) to {q, x, y) and 

— either p and q belong to the same existential set Qj and all upward paths 
from (p, a; • — 1, y) to {q, x, y) contain a state from G%, or 

— p and q belong to the same universal set Qj and there is a upward path from 
{p, X ■ —1, y) to {q, X, y) that contains a state from B^n. 

The sets adP and aC are defined analogously. 

Whenever *B guessed some downward path, it has to make sure that this path 
really exists. But the existence of a downward path at a node x might depend 
on the existence of other downward paths at the children of x. A downward path 
can thus be seen as a request generating other requests. 05 has to check that this 
process terminates. 

This can be done along with the handling of the first part of acceptance 
condition for unbounded paths using an interval-technique. For path tt in T and 
every node x on tt, we define Wt^{x) to be the minimal node ^^(2;) > a; on tt 
such that 

1. for each state g' € 5 n for some existential set Qi, each subpath of r 
starting from a node with configuration (j, .t, y and reaching a configuration 
{p, WTr{x),y) with p € Qi visits some state from G, and 

2. for each (p, q) G dP there is a downward path in r from {p, x, y) to [q, x- — l, y) 
on which no descendant of Wt;{x) is visited, 

where the sets S and dP refer to the tuple corresponding to the pebble placement 
y in the state taken by *B at x. Now, for every infinite path tt in T, we define 
an infinite increasing sequence xq,x\,. . . of nodes on tt as follows: xq := e and 
given Xj^ a^j+i := ^^^{xj). Using Konig's Lemma, we can easily prove that such a 
sequence exists if and only if r fulfills the first part of the acceptance condition, 
i.e., the one with respect to the set Gg. The sets rS and rdP are used by *B to 
check these conditions. They get initialized at the root and are updated at every 
transition. As soon as all requests have been fulfilled, they get reinitialized. The 
states in Gsg will be those where all these sets are empty. 

The other part of the acceptance condition, i.e., the one with respect to the 
universal states and the set Ua, can be checked by 03 using the sets S and adP. 

Please note that while the number of states of OS is doubly exponential in 
the number of states of 21, both automata use the same set D. 

We give the formal definition of 05 = (Q^b, ^> -D, Q^, (5(8, {(Gsb, -Bsb)}). For 
sake of presentation, we use a set of initial states instead of a single state. 

The set Q<8 of states of 05 consists of all tuples (Xq, Xi, . . . , Xk^ p), where for 
every < i < /c, is a set of tuples {S, uS, dS, rS, uP, dP, auP, adP, rdP, C, aC) 
from (2'3a)5 ^ g^^^j p e B, such that 

— Xq contains exactly one tuple {S, uS, dS, rS, uP, dP, auP, adP, rdP, C, aC) 

and the sets dP, adP, rdP, C and aC are empty in this tuple, 

— for every tuple from every set Xi, i > 0: dS ^ S, rS ^ S, auP C uP, 
adP C dP, and rdP C dP. 



The initial states of !B are those states where p = true and 

— dS = {q^}, and therefore G S, for the sets S, dS from the tuple in Xq, 

— for every tuple from every set Xi, i > 0: uS = ib, rS = S, uP = dS = 0, 
and dP = 0. 

Note that this implies that the sets auP, adP and rdP are empty as well. The 
first condition is used to justify that q^ € S, avoiding a special case in the 
definition of the transition function below. 

For the acceptance condition of 03, we have to define the two sets G<b and 
B<s- The set Gqs consists of all those states, where, for every tuple from every set 
Xi, r5 = and rdPS = 0. In particular, the state where every set Xi contains 
only one tuple consists only of empty sets is accepting. This state is taken by 
5B at all nodes of T not visited by 2t during the run guessed by 05. A state is 
contained in Brg, if for some tuple from some set Xi, SCiB^ ^ or adP contains 
a tuple {p, q) with p,q G Qj for some universal set Qj . 

For every d G D, let c := {Xq, . . . , Xk, p) and cj := {Xq, . . . , Xj., pj) for 
^ < j < dhe states of 05. We define the transition function Ssb for alld e D and 
all a € S as follows: 

(ci, . . . , Cd) e 6<B (c, CT, d) : <S=^ 

(i) for every i G [0,k] and every j £ [1, d], there is a relation Xi ^ij X^ such 
that G Xi3tj € Xf -.t r^ij tj and Vij G X^Bt e Xi : t ^ij tj, 

(ii) for every i G [1, A;], there is one tuple ti G Xi, one tuple l{ti) G Xi-i, and 
for every j G [1, d] one tuple tij G X^ with ti j, and 

(iii) for every tuple t = {S,. . .) from some set Xi and every state q £ S such 
that (5a {q, o, d,b) = a for some Boolean combination a, where b = true if 
and only ii t = t^, there exists a set C (Z) U {—1,0, root}) x that 
exactly satisfies a, 

such that the conditions (1) to (19) given below are satisfied. 

The sets represent the guess of 03 on how 21 acts at the current node. Here 
we use that we only consider homogeneous runs. The relations ^i^j establish 
a connection between tuples referring to the same pebble position. Finally, the 
tuples from (ii) are those referring to the situation where the last placed pebble 
is placed at the current node and l{t1) refers to the situation reached from the 
one corresponding to t1 by lifting the last pebble. Note that l{t1j^i) = if and 
only if refers to the situation where both pebbles, i and i + arc placed at 
the current node. 

In the following conditions on the transition function, we use Sf to denote 
the first set in the tuple and analogous notation for the other sets from the 
tuples fi and t^^ . 

The first condition states that after applying a transition, 03 is not at the 
root of T anymore. This ensures that there is exactly one state {Xq, . . . ,X}~,p) 
with p = true in any run of 05: the initial state. 



(1) For all j e [l,d\: pj = false. 



The next six conditions assure that the states c,ci, . . . ,Cd are consistent with 
the transition function and that every Ci is consistent with c. 

(2) For all states q G Qa 

— if S<2i{q,a,d,b) = (drop,p), then 

• if g G 5 for some tuple t = {S, . . .) G Xi for some i G [0,k — 1], then 
p G S'f+i and t = and 

• S iov all tuples (5, . . .) G X^, 

— if 6f2i{q,a,d,b) = (lift,p), then 

• g ^ 5 for all tuples {S, . . .) G Xq, 

• if (7 G Sf for some tuple with i G [1, k], then p G litj), and 

• for every i G [1, k] and every t = {S,. . .) G Xi \ {tj}, q ^ S, 

— if 1^21 (g, cr, rf, 6) = a and g G 5 for some tuple t ~ {S, uS, . . .) G with 
i G [0, k], then for all j G [!,(/], all tuples tj = (. . . , ^5^-, . . .) G X^ with 
* ^i.j tj , and all (e, p) G 

• if e = — 1, then p G liS*, 

• if e = 0, then p G 5, 

• if e > 1, then p G rf5e, and 

• if e = root, then p = true and p G S. 

(3) For every i G [0, fc] and every j G [1, rf] and for all tuples t = (5, . . .) G 
and = {Sj,uSj, . . .) G with t tj: uSj C S. 

(4) For every state g G 5 for some tuple t = {S, uS, ,dS . . .) G Xj with i G [0, k], 
there is a sequence of pairwise disjoint states qi,. . . ,qi from S, such that 

— qi = q, 

— one of the following conditions holds for qi 

• qi G dS, 

• gi G uSj for some j G [l,c?] and some tuple tj = {Sj,uSj, . . .) G X^ 
with t tj, or 

• i G [1, k], t = t1, and there is a state p G S' with l{t) = (S", . . .) G 
Xi^i, such that S<^{p,a,d,b) = (gi,drop), where b = true if and 
only if l{t) = t'^_i, or 

• i G [0,k — 1], t = and there is a state p G S' with = 
(S",.--)i such that S<2i{p, a, d, true) = ((ji,lift), 

— and for every j, I < j < I, 5^{qj,a, d,b) = a for some Boolean combina- 
tion a and (0, qj+i) G Yg. , where b = true if and only if t = t^. 

(5) For all tuples t — {S, uS, . . .) G X,; with i G [0, k] and all states G US', there 
exists a state p G S such that (— 1, g) G Y*. 

(6) For every j G and every tuple tj = {Sj,uSj,dSj, . . .) G X^^* with i G 
[0, k], there exists a state p G S such that (j, g) G 1^*, where t = (S, . . .) G Xj 
with t tj . 



Conditions (7) to (9) check consistency of the information about downward 
paths. These conditions also propagate request for downward paths. Consistency 
of the sets C and aC is checked by conditions (10) to (12). 

The conditions (7) to (12) have to hold with respect to every tuple t = 
{S,uS,dS,rS,uP,dP,auP,adP,rdP,C,aC) e Xi for all i e [0,fc]. Let tj = 
{Sj,uSj, . . . , aCj) e for all j G [1, rf] denote those tuples such that t -^ij tj. 

(7) For all {p, q) <= dP, it holds that p € S, q E uS, and there is a sequence of 
pairwise disjoint states qi, . . . ,qi, I > 1, from S, such that qi = p, {—l,q) € 
y^* and for each h € [1,1 — 1] one of the following conditions holds: 

- iO,qh+i)eYl, 

- i < k and there is a state p' G S" with t'^_^-^ = (5", . . . , C", aC) G Xi_^.i 
and l{tf_^_i) = t, such that 5<2i{qh,(T,d,b) = (drop,p') and {p',qh+i) S C, 
where b = true if and only if t = tf, or 

- there is a j G [l,d] and a state p' G dSj such that {j,p') G Y^^ and 
{p',qh+i) G dPj, and if {p,q) G rdP, then {p',qh+i) G rrfP,-. 

(8) For all {p, q) G such that p and g belong to the same universal set: If 
there is a sequence of states qi,. . . ,qi as specified in condition (7), such that 
one of the states qi, ... ,qi,q is in B<s, one of the tuples {p' , qh+i) G C is in 
aC, or one of the tuples (p', qh+i) G dPj is in adPj, then (p, q) G adP. 

(9) For all {p, q) G adP such that p and q belong to some existential set: p G Ga, 
q G Ga, or the following condition holds: For all sequences of pairwise disjoint 

states qi, . . . ,qi from S such that qi = p and {—\,q) G YJ^* , and all sequences 
((ii,pi), . . . , ((i;_i,p;_i), where {dh,Ph) G (D U {drop,0}) x Qa and for all 
/l G [1,1] 

- {dh,Ph) G Yq*^ , rf/i = 0, and ph = g/i+i, 

~ {dh,Ph) G Yq'^, (i/i > 1, and (jph,qh+\) G dPd^, or 

- dh= drop, pft G 5" with t1^^ = {S', ...,C', aC) G X^+i and Z(%i) = t, 
5{qh,(J,d,b) = (drop,p'), where b = true if and only if t = t^, and 
{Ph,qh+i) G C, 

there is a /i G [1,1] such that 

- G Ga, 

- h <l and (p/i,Q/i+i) G adPd^, or 

- h<l and (p^, g/j+i) G aG'. 

(10) If i = or t ^ then G = 0. Else, for all (p, 9) G G, it holds that p G 5, 
q € S' with Z(f) = (S", . . .), and there is a sequence of pairwise disjoint states 
qi,...,qi, I > 1, from S, such that qi = p, S<n{qh,cr,d, true) = (lift,g), and 
for each h € [1,1 — 1] one of the following conditions holds: 

- io,qh+i)eYl, 

- (root,g/(+i) G Y^^ and p = true, 

- i < k and there is a state p' G S" with t^_^-^ = {S', . . . , C, aC) G Xj+i 
and Z(ti+i) = t, such that (5a(9/i,(J, rf, true) = (drop,p') and {p' ,qh+\) G 
C, 

- there is a state p' G US' such that (— l,p') G i^*^ and (p', g/j+i) G mP, or 



- there is a j G and a state -p' G dSj such that € F^*^ and 

(11) For all G C such that p and q belong to the same universal set: If 
there is a sequence of states qi,...,qi as specified in condition (10), such 
that one of the states gi, . . . , g;, g is in Bs^, one of the tuples {p' , qh+i) G C 
is in aC, one of the tuples {p',qh+i) G uP is in auP, or one of the tuples 
{p',qh+i) G dPj is in adPj, then {p,q) G aC. 

(12) For all (p, g) e o,C such that p and q belong to some existential set: p £ 
G<;i, q G Ga, or the following condition holds: For all sequences of pairwise 
disjoint states qi,...,qi from S such that qi = p and (5a((Z?t, cr, d, true) = 
lift,q), and all sequences {di,pi), . . . , {di^i.pi^i), where {dh,Ph) G (-D U 
{drop, 0, —1, root}) x Qa and for all h G [1, /] 

- {dh,Ph) G Fq*^, d/i = and ph = g/i+i, 

- (dh,Ph) ^ Yq^, P = true, = root, and Ph = qn+i, 

- {dh,Ph) G Fg*^, dh = -1 and (p;,,g,i+i) G uP, 

- {dh,Ph) G Yg*^, d/i > 1 and (ph,g/i+i) G dPd^, or 

- 4 drop, p,, G S' with t^^+i = (S", . . . , C", aC") G X^+i and lifr^-^) = t, 
S{qii,a,d,b) = (drop,p'), where b = true if and only if t = t^, and 
{Ph,qh+i) G C", 

there is a ft. G [1,1] such that 

- qj G Gsi, 

- h <l and {ph,qh+i) G auP, 

- h <l and (p^, g/i+i) G adPd,^, or 

- h <l and {ph,qh+i) G aG'. 

The following three conditions check consistency of the information about 
upward paths. Opposed to the preceding conditions, this information is checked 
for the states Cj using the information at c. For every j G [l,d], every i G [0, k], 
and every tuple t j = (Sj, uSj , dS'j , rSj ,uPj, dPj , auPj , adPj , rdPj , Cj ,aCj) G 
X/ , there is a tuple t = {S, uS, dS, rS, uP, dP, auP, adP, rdP, C, aC) G Xi with 
t '^ij tj, such that the conditions (13) to (15) are satisfied. 

(13) For every tuple (p, q) G uPj, there is a sequence of states qi,. . . ,qi from S, 
such that qi = p, {j, q) G Y*^ , and for every h G [1,1] 

- {0,q^+^)€Yl, 

- (root, qh+i) G Y^^ and p = true, 

- there is a state p' G US' such that (— l,p') G Y^*^ and {p', qh+i) G uP, or 

- i < k and there is a state p' G S" with t'i_^_i = {S' , . . . , C , aC) G Xj+i 
and i(ti+i) = t, such that 5<}i{qh,cr,d,b) = (drop,p') and {p',qh+i) G C, 
where b = true if and only if f = f?. 

(14) For all {p,q) G uPj such that p and g belong to the same universal set: If 
there is a sequence of states qi,. . . ,qi as specified in condition (13), such 
that one of the states qi, ... ,qi,q is in Bf^, one of the tuples (p', qh+i) G C 
is in aC, or one of the tuples {p', qn+i) G uP is in auP, then {p, q) G auPj. 



(15) For all {p, q) S auPj such that p and q belong to some existential set: p e Gsa, 
q G Gai or the following condition holds: For all sequences of pairwise disjoint 
states qi, . . . ,qi from S such that qi = p and ( j, q) G V^* , and all sequences 

. . . , where {dh,Ph) G {drop, 0, -1, root} x Qa and for 

all /i G [1, 

- {dh,Ph) G Y;,*_ . (fft = 0, and ph = qh+i, 

- {dh,Ph) G Y^^, p = true, r4 = root, and ph = qh+i, 

- {dh,Ph) G F^*^, rf/i = -1. and {ph,qh+i) G mP, or 

- dh= drop, G 5" with tf+i = (S", . . . , C", aC) G X^+i and = t, 
6{qh,<7,d,b) = (drop,p'), where b = true if and only if t = t^, and 

{Ph,qh+i) G C, 
there is a ft, G [1,1] such that 

- (7j G Ga, 

- h < I and (p^, g/i+i) G auP, or 

- h <l and {ph,qh+i) G aC". 

Conditions (16) and (17) are used to check that every bounded path in r is 
accepting. As described above, we check that every upward loop contains a state 
Ga if all states in the loop are existential, and that it does not contain a state 
from Ba if they are universal. 

(16) For every tuple t = {S, uS, dS, rS, uP, dP, auP, adP, rdP, C, aC) with t G X, 
for some i G [0,fc], and every existential state q G S: U there is a se- 
quence of states qi,. . . ,qi from S with qi = qi = q and a sequence of tuples 
{di,pi), . . . ,{di-i,pi-i) with {dh,Ph) G {drop, 0, -1, root} x Qa, such that 
for ah he [1,1] 

- {dh,Ph) G Y*^, dh=0 and ph = qh+i, 

- {dh,Ph) G Y*^, p = true, dh = root, and ph = qh+i, 

- {dh,Ph) G Fg^, dh = -1 and {ph,qh+i) G uP, or 

- dh= drop, Ph G S' with t^^^ = {S', . . . , G', aC) G Xi+i and Z(%i) = t, 
5{qh,(J,d,b) = (p',drop), where b = true if and only if t = t^, and 
{Ph,qh+i) G C, 

then there is a /i G [1, Z] such that 

- qj G Ga, 

- h < I and (p/i,(7/i+i) G auP, or 

- h <l and G aG'. 

(17) For every tuple t = {S, uS, dS, rS, uP, dP, auP, adP, rdP, C, aC) with t & Xi 
for some i G [0, k], and every universal state q E S: For all sequences of states 
qi,. . . ,qi from S with qi = qi = q and all sequences {di,pi), . . . , {di-i,pi-i), 
where {dh,ph) G {drop, 0, —1, root} x Qa and for all h G [1, 1] 

- {dh,Ph) G Fq^, dh = and p,, = qh+i, 

- {dh,Ph) G Yg*^, p = true, = root, and ph = qh+i, 

- {dh,Ph) G Y^^, dh = -1 and {ph,qh+i) G uP, or 

- d;, = drop, Ph G S" with = {S', . . . , G', aG') G X,+i and /(t^^^) = t, 
5{qh,(T,d,b) = (p',drop), where b = true if and only if t = t^, and 
{Ph,qh+i) G C, 



the following conditions hold for every h € 

- Qj ^ -Ba, 

- iih <l, then {ph,<lh+i) ^ auP, and 

- ifh <l, then {ph, qh+i) ^ aC. 

The next eondition updates the request sets used to check the acceptance; of 
unbounded paths in r. This condition has to hold with respect to every tuple 
t = {S,uS,dS,rS,uP,dP,auP,adP,rdP,C,aC) e Xi for all i e [i),k]. Let tj = 
{Sj , uSj , dSj , rSj . . . , aCj ) G Xf for all j e [1 , rf] denote those tuples such that 
t tj. 

(18) For all existential states p £ rS, all j £ [1, d], and all states q £ dSj, if there 
is a sequence of pairwise disjoint states qi, . . . ,qi from S such that 

- qi =p, 

- q ^ Ga, qh ^ Ga for h £ [1, Z], and 

- for all he [1,1- 1], 

• (0,%+i) ey,*, 

• (root, qh+i) £ F,*^ and p = true, 

• there is a state p' £ uS* such that (— £ y^*^ and {p',qh-\-i) S 
wP \ auP, or 

• i < k and there is a state p' £ 5' with f:^^ = (S", . . . , C, aC) £ X^+i 
and i(ti+i) = such that 6<2i{qh,cr,d,b) = (drop,p') and {p',qh+i) € 
C \ aC, where b = true if and only if f = t?, 

then q £ rSj. 

The last condition reinitializes the request sets after all previous requests 
have been fulfilled. 

(19) If, for every tuple (5, uS, dS, rS, uP, dP, auP, adP, rdP, C, aC) £ Xi with i £ 
[0, A:], rS* = and rdP = 0, then for all j £ [1, d], all i £ [0, k], and all tuples 
{Sj , uSj , dSj , rSj , uPj , dPj , auPj , adP,- , rdPj , Cj , aCj ) £ X| 

- rSj = Sj \ G<^ and 

- rdPj = dPj. 

This concludes our construction. 

To prove correctness of our construction, assume that r is an accepting run 
of 21 on a tree T. Obviously, we get an accepting run for *B on T by choosing 
those states that represent the run r as indicated above. 

For the reverse direction, assume that there is an accepting run of *B on T. 
For every node x of T, there is a possible behavior of 21 at a; (the sets above) 
that is consistent with the run of 5B. Prom these, starting with the initial state 
of 21 at the root of T, we can construct a run for 21 and show that this run 
is accepting. The details are basically a reproduction of the construction given 
above. 



F Proof of Proposition 14.51 



Let T E be a tree and r a homogeneous accepting run of 2t on T. Wc show 
how to obtain from T a tree T', such that the branching degree of T' is at most 
2n^-(fc+i) and T' G i(2l). 

Let X be some node of T and Tr^ the subtree rooted at x. Assume that 21 
enters in a state q during the run r while having placed i pebbles outside of T^. 
I.e., we consider a configuration c := (g, x, y) with mpp(?/) = i and ympp(i/) 7^ 2;. 
Every path starting from c either stays in T^; or leaves in taking some state p 
at the parent node of x. Put into the notation used in the proof of Lemma 14.41 
There is a downward path from q to p. 

Let ff:Q^ 2'^ be the mapping assigning to every state q the set of states 
in which is left when entered in q with k — i pebbles in hand. Note that 
might be entered many times during r. But since r is homogeneous, the resulting 
sets of states are always the same, i.e., the functions ff for i G [0, /c] are well 
defined and describe how 21 behaves on . We therefore call f§, . . . , the type 
of X. As the size of a type is • (/c + 1), there are at most 2"' ('=+i) different 
types. 

Now assume that there are two sibling nodes x and y in T that have the 
same type. Let T' be the tree obtained from T by removing Ty. Then we can get 
an accepting homogeneous run r' of 21 on T' by moving into T,j; whenever going 
into Ty in r. Note that this refers to O-nroves and uses that r is accepting, i.e., 
that every infinite path of r in Tx and Ty is accepting. 

Applying this procedure level-wise top-down results in a tree with branching 
degree bounded by 2" C^+i) that is accepted by 2t. 



